SSG 2014

• Intel® Active Management Technology is a component of our Digital Office
• initiative and is one of our *T (Star T)
• programs. This technology enables IT managers to remotely access and manage
• every networked computing system — even those that lack a working operating
• system or hard drive, or are turned off — as long as the platform is connected
• to line power and to the network. Intel® AMT uses a separate management
• processor that runs independently on the client machine and can be reached
• through the wired or wireless network.

• Management Console to detect the
• AMT system in Connected Standby low power state, power up the system to full S0
• state when required.

 

• What are the benefits of this
• feature:

• AMT’s coexistence with platforms
• supporting Microsoft Connected Standby feature provides the flexibility to end
• user to leave the system in low power state and yet be manageable by IT when
• needed. End users can now put the vPro systems in Connected stand by
• state for extended battery life, instant on capability and
• more.

• When connecting to the
• internet or web applications, users want
• the confidence that their communications and data are being secured. 
• Securing the connection and the
• data traveling across that connection
• can be compute intensive and therefore impacting the users experience either
• through visible performance degradation or in terms of shorter battery life.  By
• optimizing key cryptographic ciphers using the above mentioned technology, the overhead of
• establishing and maintaining a secure connection can be diminished resulting in
• a smoother user experience and longer battery life. 

• Symmetric
• Encryption

• Enhance AES cipher performance using
• AES-NI

• Optionally enhance the performance of AES-GCM
• (Galois Counter Mode) using PCMULQDQ
• instruction

• Optimize HD video conferencing
• solutions to provide smooth and clear video over typical, remote bandwidths with
• minimal battery impact.

15+fps

1080p at <=1Mbps

• 720p at
• <=500kbps

• Enable Region of Interest variable
• quality to achieve <=300kbps

10+ participants

< 5W CPU power

• < 20% CPU
• utilization

• Mean Opinion Score >= 4
• (Good)

• Showcase significant HD video
• quality optimizations that can scale to other solutions and pave the way to
• focus on enhanced user experiences.

• Stretch goal to enable background
• HD background segmentation.

• stablish a deep technical engagement with at least one enterprise specific video
• conferencing solution provider.  Identify and execute the optimizations
• necessary to show smooth and clear HD video in typical environments such as
• offsite, VPN, and cellular connections with multiple parties.

• The key focus in 2014 is to better
• understand the challenges and opportunities in the enterprise space, how they
• align to the BKM's from consumer work, and how they differ from consumer. 
• Develop the methodologies specific to enterprise solutions that we can scale to
• a wider audience.

• Strong encryption requires two things:  Robust cryptographic algorithms
• and high quality keys (e.g. highly entropic random
• numbers).  Intel Secure Key provides highly
• entropic random numbers and PRNG seed material in
• order to provide the highest quality crypto keys, nonces, and initialization vectors
• possible.

• ISV integration or
• usage of RDSEED processor instruction for seeding
• ISV Pseudo Random Number Generator
• (PRNG)

and/or

• ISV integration or usage
• of  RDRAND processor instruction for direct consumption
• of random bytes or mixing with
• PRNG entropy pool

• ISV PV release of their software that implements IPT with PKI for the
• following use cases: * No Password VPN * S/MIME – email signing/encryption *
• Document signing * Certificate-base authentication to WiFi networks * SSL Client
• authentication Or ISV PV release of their software that implements the NFC Tap
• to Authenticate use case.

• Multifactor Authentication - Provide MFA Applet and Add capabilities to ISV client and/or cloud components
• to provision a PKI certificate that uses the Intel Cryptographic Service
• Provider (CSP). 
• * MFA provides a secure and satisfying user experience with immediate access
• to their stuff using many factors of authentication (Bluetooth leash, wearables,
• proximity sensors, voice, facial recognition, gait, NFC, IPT with PKI, Protected
• Transaction Display, etc.).   Biometrics, Built in NFC reader added to PCs
• allows for simple and secure user authentication with Intel IPT by tapping an
• NFC card or device on an Intel vPro system with IPT.   * User does not need to
• enter a password.  The user becomes the password.

• SCS is available with the ability
• to configure the platform with network identities associated with "safe zones"
• so that IT can enforce platforms to hibernate (S4) when leaving these areas in a
• sleep (S3) state or Connected Standby (S0ix) which will force drive encryption
• to lock.  The SCS will also be required to configure Intel Smart Connect
• Technology parameters where applicable.

IT

• Configure system with "safe"
• corporate network identities through the SCS

• Configure ISCT (when applicable)
• and set the associated wake interval

• Optionally - Once settings are
• applied to the Digital Fence service through the SCS, changes may be applied
• through Active Directory Group Policies.

 

User

• User unlocks the system / drive
• for normal use

• User suspends the system (S3 or
• S0ix) and leaves the office

• The system detects the absence of
• a "safe" corporate network

• The system briefly wakes and goes
• immediately into a hibernation state (S4)

• When entering S4, the drive is
• locked, protecting the data

 

• NOTE: A Connected Standby solution
• is not yet available and may not be available in the Broadwell timeframe

• The driving concept behind “Secure Containers” is the notion that IT can
• provision a Secure Enterprise partition on a BYOD device that supports Intel
• ProSSD.  ProSSD supports the OPAL standard v1.0 Rev3 which allows for the
• definition and management of multiple encrypted LBA ranges on the SSD.  Once
• this Enterprise range and associated OS partition has been created, it can be
• managed (meaning it can be locked, cryptographically erased, keys rotated,
• policy managed, etc.) at which point the enterprise would feel comfortable
• allowing Enterprise data to reside on it.  This way, the end-user is able to use
• their personal device in the enterprise but the enterprise IT dept. has a level
• of control regarding what enterprise data  goes on the system, where it is
• stored (in the Secure Container), and how its secured. 
• Enablement of one of the following solutions supporting the use of an Intel
• ProSSD 1500 or 2500 SSD: * Good o A single encrypted LBA Range (two OS
• partitions, one encrypted, the other not) created and policy managed via OPAL.
• The encrypted LBA range/partition would then host the enterprise data and is
• called the “Secure Container”. This means that all other user data would be
• unencrypted on disk.  This case is for those consoles that can only
• support/manage one encrypted LBA range. * Better o Two discrete encrypted LBA
• Ranges (two OS partitions created for each range) created via OPAL.  One
• encrypted LBA range/partition managed by IT to host Enterprise data.  The other
• managed by the end-user to host personal (non-enterprise data).  The benefit
• here allows the end-user to have full disk encryption, but control over the
• decryption key. * Best o Same as ‘better’ solution, but with a Data Loss
• Prevention solution activated which would attempt to prevent Enterprise data on
• the managed partition moving to some other place (thumb drive, user partition,
• etc.).

• Location Base Services - One or more location tracking servers must add support for EPID and HMAC
• signature validation of location data transmitted by vPro platforms and make the
• resulting, attested location data available to 3rd party applications through an
• API.  The location tracking servers must also implement the RESTful API required
• for configuration and communication between the vPro platform and location
• tracking server. One or more ERM solutions must consume the attested location
• data and compare it against configurable geo-fence boundaries to control
• document access based on physical location. 

• IT Perspective: * A location tracking server and associated infrastructure is
• deployed and configured for tracking physical location of WiFi devices. * vPro
• platforms are deployed to supported corporate users. * IT enables secure
• location based services through the PROSet administrator tool by pushing
• appropriately configured wireless profiles to each client system.  An additional
• tool, such as the SCS, is used to configure the LBS DAL applet with the
• necessary certificates for EPID signature creation (the "Secure" in Secure LBS).
• * Additional configuration is performed by IT through the location tracking
• service communicating to the vPro endpoint through the secure and authenticated
• channel configured by the SCS. * Geo-fence boundaries are configured in the
• corporate ERM solution.  Each boundary is assigned an associated set of document
• access policies. 
• * The user accesses corporate documents after authenticating with the ERM
• solution configured on their vPro platform.
• * As the user moves from one area of the corporate campus to another (e.g.
• from cubicle to café, or office to home) access to sensitive documents is
• changed to comply with corporate document access policies.

• A logical processor uses
• virtual-machine control data
• structures (VMCSs) while it is in VMX operation.
• These new structures manage transitions into and out of
• VMX non-root operation (VM entries and VM exits) as well as processor
• behavior in VMX non-root operation. This
• structure is manipulated by the new instructions VMCLEAR, VMPTRLD,
• VMREAD, and VMWRITE.

• Graphics Virtualization - The Graphics Processing Unit (GPU) has become a fundamental building block in
• today’s computing environment, accelerating tasks from entertainment
• applications (gaming, video playback, etc.) to general purpose windowing
• (Windows* Aero*, Compiz Fusion, etc.) and high performance computing (medical
• image processing, weather broadcast, computer aided designs, etc.).
• Today, we see a trend toward moving GPU-accelerated tasks to virtual machines
• (VMs). Desktop virtualization simplifies the IT management infrastructure by
• moving a worker's desktop to the VM. In the meantime, there is also demand for
• buying GPU computing resources from the cloud. Efficient GPU virtualization is
• required to address the increasing demands.
• Enterprise applications (mail, browser, office, etc.) usually demand a
• moderate level of GPU acceleration capability. When they are moved to a virtual
• desktop, our integrated GPU can easily accommodate the acceleration requirements
• of multiple instances

Intel® Identity Protection Technology 

An Added Layer of Hardware-based Security

• Protecting your identity and business data stored in the cloud requires
• strong authentication that's ideally rooted in hardware. Hardware-based
• authentication is widely regarded by security experts as a more effective
• approach than software-only authentication.
• Select PCs and other devices feature tamper-resistant, two-factor
• authentication built right into new
• Intel® Core™ vPro™ processors. Intel® Identity Protection Technology (Intel®
• IPT)1 helps prevent unauthorized access to your important personal
• and business accounts while reducing the cost of traditional hardware solutions.
• It also provides a simple way for web sites and businesses to validate that a
• user is logging in from a trusted PC.
• How Does Intel® Identity Protection Technology Work?

Intel IPT with one-time password (OTP)

• ntel IPT protects network and web site access points by providing enterprises
• with several ways to validate that a legitimate user—not malware—is logging in
• from a trusted platform. One option utilizes a one-time password (OTP), a
• unique, one-time-use, six-digit number generated every 30 seconds from an
• embedded processor. This tamper-proof solution operates in isolation from the
• operating system.1 Moreover, because the credential is protected
• inside the chipset, it cannot be compromised by malware or removed from the
• PC.

• Intel® AES-NI is a new encryption instruction set that improves on the
• Advanced Encryption Standard (AES) algorithm and accelerates the encryption of
• data in the Intel®
• Xeon® processor family and the Intel® Core™
• processor family.
• Comprised of seven new instructions, Intel® AES-NI gives your IT environment
• faster, more affordable data protection and greater security, making pervasive
• encryption feasible in areas where previously it was not.

• Encryption is frequently recommended as the best way to secure
• business-critical data, and AES is the most widely used standard when protecting
• network traffic, personal data, and corporate IT infrastructures.With
• recent advancements in cloud
• computing, where personal or business-critical information leaves the
• traditional IT environment, a more widely usable and secure encryption standard
• such as AES and acceleration mechanism like Intel® AES-NI are essential.
• Thankfully, AES is a widely-deployed encryption standard when protecting
• network traffic, personal data, and corporate IT infrastructures; and Intel®
• AES-NI can be used to accelerate the AES encryption. With such robust,
• affordable, and flexible options, Intel® AES-NI can help your business stay
• ahead of growing threats.

Public Key Infracturcre -Intel® IPT with PKI uses the Intel® Management Engine (Intel® ME) and 3rdGeneration Intel®Core™ i5 or i7 vPro™ processor-powered systems to provide a hardware based security solution. This solution provides enhanced protection of RSA cryptographic keys. The Intel® IPT with PKI software is exposed as a CSP via the Microsoft CryptoAPI software layer. Software that supports the use of cryptographic features through CryptoAPI can use Intel® IPT with PKI to:

Device Protection Technology 

• intel DPT with Security Extensions: 
• Dynamic Whitelisting, Power Effiecient Scans, URL Filtering, Intent Filering, Contextual Permisiion
• Intel DPT with Manageability Extensions (MDM)
• •Remote
• Configuration

• •Application
• Management

• •HW/SW
• Control

• •Inventory
• Monitoring

• •Kiosk
• Mode

• •Security
• Restrictions

• •Expense
• Mgmt

• Intel DPT with Manageability
• Extensions  (Containers)
• •Containerize any app, from any
• store

•“No Wrapping” or specialized apps

•Uncompromised native experience

•Selective mgmt. of corp data